Compromising Jenkins and extracting credentials

Jenkins is an open-source continuous integration software tool written in the Java programming language. While useful to developers, it can also be useful to attackers. Often times developers will leave Jenkins consoles in an insecure state, especially within development environments. Jenkins has a scripting console available which can be used to run arbitrary Groovy code.

Below is an example of a console. Typically found under Manage Jenkins->Script Console or just by going to /script from the root of the Jenkins install path.

As you can see, there is also a credentials tab. It is common for developers to store credentials within Jenkins. While these passwords are not accessable to view from within the web console, they can be extracted from the system itself.

To create a reverse shell on the system, we need to use Groovy script. Since it is basically Java, we can use a Java reverse shell from pentestmonkey.

Often times Jenkins is given sudo permissions with no password, so we can easily escalate to a root shell if we need to.

jenkins@victim:/$ sudo -i
sudo -i

Once we have that, we need to locate the Jenkins install. In this case, it was found under /opt/jenkins. View the contents of the directory and you will see a credentials.xml file and a /secrets/ directory.

root@victim:/opt/jenkins # ls
...
credentials.xml
...

The encrypted passwords are stored in credentials.xml. We will need this file as well as some of the keys to be able to decrypt it. One of the ways we can ex-filtrate these files is via netcat. Out our victim we will do the following, one at a time: